Revisiting Network Traffic Analysis: Compatible network flows for ML models

TL;DR

This paper explores how analyzing raw network packets and extracting consistent features can improve the training and robustness of ML models for cyberattack detection in IoT networks.

Contribution

It demonstrates that preprocessing PCAP files to generate new features enhances model performance and compatibility across datasets compared to using only original CSV data.

Findings

Analyzing PCAP files yields more relevant features for ML training.

Preprocessed features improve detection accuracy of ensemble models.

Enhanced feature extraction aids in dataset compatibility and model robustness.

Abstract

To ensure that Machine Learning (ML) models can perform a robust detection and classification of cyberattacks, it is essential to train them with high-quality datasets with relevant features. However, it can be difficult to accurately represent the complex traffic patterns of an attack, especially in Internet-of-Things (IoT) networks. This paper studies the impact that seemingly similar features created by different network traffic flow exporters can have on the generalization and robustness of ML models. In addition to the original CSV files of the Bot-IoT, IoT-23, and CICIoT23 datasets, the raw network packets of their PCAP files were analysed with the HERA tool, generating new labelled flows and extracting consistent features for new CSV versions. To assess the usefulness of these new flows for intrusion detection, they were compared with the original versions and were used to fine-tune multiple models. Overall, the results indicate that directly analysing and preprocessing PCAP files, instead of just using the commonly available CSV files, enables the computation of more relevant features to train bagging and gradient boosting decision tree ensembles. It is important to continue improving feature extraction and feature selection processes to make different datasets more compatible and enable a trustworthy evaluation and comparison of the ML models used in cybersecurity solutions.